<!DOCTYPE html>
<html lang="en">
	<head>
		<meta charset="UTF-8" />
		<meta name="viewport" content="width=device-width, initial-scale=1.0" />
		<title>XSS跨站脚本攻击</title>
	</head>
	<body>
		<textarea id="input"></textarea>

		<script>
			// DOM XSS注入
			document.addEventListener('keydown', (e) => {
				if (e.keyCode == 13) {
					let value = document.getElementById('input').value
					value = value.replace(/</g, '&lt;').replace(/>/g, '&gt;') // 转义HTML标签，防止XSS攻击
					document.body.innerHTML += value
				}
			})
		</script>

		<!-- *************************************************************************************************************** -->

		<!-- 第三方库：js-xss 防止XSS攻击 -->
		<script src="https://rawgit.com/leizongmin/js-xss/master/dist/xss.js"></script>

		<script>
			// 使用函数名 filterXSS，用法一样
			var html = filterXSS('<script>alert("xss");</scr' + 'ipt>')
			alert(html)
		</script>
	</body>
</html>
